SAP HANA 2.0 Security Overview

SAP HANA 2.0 Security Overview

SAP HANA 2.0 Security provides a range of security features and functions at the database and system level to ensure secure access control and secure system setup and configuration.

The goal of SAP HANA security is to protect data from unauthorized access.

Authentication
Only people who need to carry out tasks should be able to log on to the system.

Authorization
Users in the system should only be able to see and do what they need to fulfill their tasks.

Audit logging
There should be a record of critical user actions in the system.

Encryption
Protect data volume from unauthorized access at OS level.

Access Channels
SAP HANA database provides standard database interfaces, like Java Database Connectivity (JDBC) and Open Database Connectivity (ODBC).

Additionally , the embedded application available on SAP HANA Database allows HTTP(S) access to the database.

During the user authentication process for JDBC and ODBC client connections, user passwords are always transmitted in encrypted hashed form during the user authentication process. The passwords are never transmitted in plain text.

For HTTP connections, HTTPS can be configured.
We can enforce that users can solely connect via hypertext transfer protocol(HTTP/HTTPS) by disabling JDBC/ODBC access.
By Default , JDBC/ODBC access is enable for normal users and disable for restricted usersIn SSO
environments, we recommend using encrypted communication channels for all client connections.

User Management
Every user who wants to work directly within the SAP HANA database must have a database user with the required privileges.
There is automatic locking of users in certain situations (for example if their validity expired or they entered a wrong password several times), manual locking is also possible.
Every tenant database has its own database users, including a tenant database-specific superuser SYSTEM.

Authorization
SAP HANA standard authorization mechanisms are applied to users at the database level. Different types of privilege are used in SAP HANA (system, object, analytic, package, and application).

Access Privileges
System privileges control general system activities.
SQL/Object privileges are SQL privileges that are used to allow access to database objects.
Analytic privileges provide different users access to different portions of data in the same view based on their business role.
Package privileges provide authorize actions on individual packages in the classic SAP HANA repository.
Application privileges in SAP HANA XS classic provides the authorization level required for access  to an SAP HANA XS classic application.

Roles
A role is a collection of privileges that can be granted to either a database user or another role in run time. A role contains the privileges required for a particular function or task.

Roles and Privileges
Roles bundle privileges for specific groups of users. Role transport available is for DEV, QA,and PROD system landscapes.
Privileges control what users can see and do.
End user privileges include SQL privileges or analytic privileges, which provide access to database content (for example, SELECT on table).
XS application privileges allow users to execute of application functions.
Administrator privileges include system privileges, which allow the execution of administration tasks (for example, backups and user management).
Developer privileges include repository privileges, which allow access to development artifacts in the repository.

Encryption of Data Communication in the network
Secure communication based on the Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protocol can be configured separately for internal channels and for external communication between individual databases and JDBC/ODBC clients.
The following list of connection types that can be encrypted:

• Client to server connections 
• Internal connection between SAP HANA components 
• Connections between two Data Center 

Encryption in the Persistence Layer
Data and log volumes encryption can enabled for the system database and tenant databases individually from HANA studio. This ensure that anyone who can access the data and log volumes on disk using OS commands cannot see the actual data and redo log entries. The encryption of data and log volumes can also be enabled for each database.
SAP HANA database uses the instance SSFS to store all internal encryption keys (that is, the root keys used for data volume encryption and the internal data encryption service).

Audit Log
Audit log provides you with visibility on who did what (or tried to do what) in the SAP HANA database, and when they did so. Audit log allows you to monitor and record selected actions performed in the SAP HANA database.